You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@ranger.apache.org by sp...@apache.org on 2021/01/28 21:05:44 UTC

[ranger] branch master updated: RANGER-3153: Updated TLS version to 1.2 for ranger

This is an automated email from the ASF dual-hosted git repository.

spolavarapu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new 5df5124  RANGER-3153: Updated TLS version to 1.2 for ranger
5df5124 is described below

commit 5df512439c85199abacb84675b91d0b704fb61f0
Author: Sailaja Polavarapu <sp...@cloudera.com>
AuthorDate: Thu Jan 28 13:05:28 2021 -0800

    RANGER-3153: Updated TLS version to 1.2 for ranger
---
 .../main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java   | 6 +++---
 .../src/main/resources/conf.dist/ranger-admin-default-site.xml      | 4 ++--
 .../apache/ranger/ldapusersync/process/CustomSSLSocketFactory.java  | 2 +-
 unixauthservice/conf.dist/ranger-ugsync-default.xml                 | 2 +-
 .../org/apache/ranger/authentication/UnixAuthenticationService.java | 4 ++--
 5 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java b/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
index 757461d..8edcbbb 100644
--- a/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
+++ b/embeddedwebserver/src/main/java/org/apache/ranger/server/tomcat/EmbeddedServer.java
@@ -77,7 +77,7 @@ public class EmbeddedServer {
 	private static final String KMS_SERVER_NAME   = "rangerkms";
 	public static final String RANGER_KEYSTORE_FILE_TYPE_DEFAULT = KeyStore.getDefaultType();
 	public static final String RANGER_TRUSTSTORE_FILE_TYPE_DEFAULT = KeyStore.getDefaultType();
-	public static final String RANGER_SSL_CONTEXT_ALGO_TYPE = "TLS";
+	public static final String RANGER_SSL_CONTEXT_ALGO_TYPE = "TLSv1.2";
 	public static final String RANGER_SSL_KEYMANAGER_ALGO_TYPE = KeyManagerFactory.getDefaultAlgorithm();
 	public static final String RANGER_SSL_TRUSTMANAGER_ALGO_TYPE = TrustManagerFactory.getDefaultAlgorithm();
 
@@ -151,7 +151,7 @@ public class EmbeddedServer {
 			ssl.setSecure(true);
 			ssl.setScheme("https");
 			ssl.setAttribute("SSLEnabled", "true");
-			ssl.setAttribute("sslProtocol", EmbeddedServerUtil.getConfig("ranger.service.https.attrib.ssl.protocol", "TLS"));
+			ssl.setAttribute("sslProtocol", EmbeddedServerUtil.getConfig("ranger.service.https.attrib.ssl.protocol", "TLSv1.2"));
 			ssl.setAttribute("keystoreType", EmbeddedServerUtil.getConfig("ranger.keystore.file.type", RANGER_KEYSTORE_FILE_TYPE_DEFAULT));
 			ssl.setAttribute("truststoreType", EmbeddedServerUtil.getConfig("ranger.truststore.file.type", RANGER_TRUSTSTORE_FILE_TYPE_DEFAULT));
 			String clientAuth = EmbeddedServerUtil.getConfig("ranger.service.https.attrib.clientAuth", "false");
@@ -172,7 +172,7 @@ public class EmbeddedServer {
 			ssl.setAttribute("keystorePass", keystorePass);
 			ssl.setAttribute("keystoreFile", getKeystoreFile());
 
-			String defaultEnabledProtocols = "SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2";
+			String defaultEnabledProtocols = "TLSv1.2";
 			String enabledProtocols = EmbeddedServerUtil.getConfig("ranger.service.https.attrib.ssl.enabled.protocols", defaultEnabledProtocols);
 			ssl.setAttribute("sslEnabledProtocols", enabledProtocols);
 			String ciphers = EmbeddedServerUtil.getConfig("ranger.tomcat.ciphers");
diff --git a/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml b/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
index fd957ca..8842071 100644
--- a/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
+++ b/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml
@@ -288,7 +288,7 @@
 
 	<property>
 		<name>ranger.service.https.attrib.ssl.protocol</name>
-		<value>TLS</value>
+		<value>TLSv1.2</value>
 	</property>
 
 	<property>
@@ -592,7 +592,7 @@
 	</property>
         <property>
                 <name>ranger.service.https.attrib.ssl.enabled.protocols</name>
-                <value>SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2</value>
+                <value>TLSv1.2</value>
         </property>
         <!-- Encryption -->
        <property>
diff --git a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/CustomSSLSocketFactory.java b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/CustomSSLSocketFactory.java
index e97c477..b361835 100644
--- a/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/CustomSSLSocketFactory.java
+++ b/ugsync/src/main/java/org/apache/ranger/ldapusersync/process/CustomSSLSocketFactory.java
@@ -104,7 +104,7 @@ public class CustomSSLSocketFactory extends SSLSocketFactory{
 				}
 			}
 
-			sslContext = SSLContext.getInstance("TLS");
+			sslContext = SSLContext.getInstance("TLSv1.2");
 
 			sslContext.init(kmList, tmList, new SecureRandom());
 			sockFactory = sslContext.getSocketFactory();
diff --git a/unixauthservice/conf.dist/ranger-ugsync-default.xml b/unixauthservice/conf.dist/ranger-ugsync-default.xml
index 0f88aa3..9cedc99 100644
--- a/unixauthservice/conf.dist/ranger-ugsync-default.xml
+++ b/unixauthservice/conf.dist/ranger-ugsync-default.xml
@@ -27,7 +27,7 @@
 	</property>
 	<property>
 		<name>ranger.usersync.https.ssl.enabled.protocols</name>
-		<value>SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2</value>
+		<value>TLSv1.2</value>
 	</property>
 	<property>
 		<name>ranger.usersync.passwordvalidator.path</name>
diff --git a/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java b/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
index 92eb229..6e401b8 100644
--- a/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
+++ b/unixauthservice/src/main/java/org/apache/ranger/authentication/UnixAuthenticationService.java
@@ -58,7 +58,7 @@ public class UnixAuthenticationService {
 
 	private static final String serviceName = "UnixAuthenticationService";
 
-	private static final String SSL_ALGORITHM = "TLS";
+	private static final String SSL_ALGORITHM = "TLSv1.2";
 	private static final String REMOTE_LOGIN_AUTH_SERVICE_PORT_PARAM = "ranger.usersync.port";
 
 	private static final String SSL_KEYSTORE_PATH_PARAM = "ranger.usersync.keystore.file";
@@ -237,7 +237,7 @@ public class UnixAuthenticationService {
 		String SSLEnabledProp = prop.getProperty(SSL_ENABLED_PARAM);
 		
 		SSLEnabled = (SSLEnabledProp != null &&  (SSLEnabledProp.equalsIgnoreCase("true")));
-		String defaultEnabledProtocols = "SSLv2Hello, TLSv1, TLSv1.1, TLSv1.2";
+		String defaultEnabledProtocols = "TLSv1.2";
 		String enabledProtocols = prop.getProperty("ranger.usersync.https.ssl.enabled.protocols", defaultEnabledProtocols);
 		enabledProtocolsList=new ArrayList<String>(Arrays.asList(enabledProtocols.toUpperCase().trim().split("\\s*,\\s*")));
 //		LOG.info("Key:" + keyStorePath);